search cancel

One or more exceptions trying to commit keystore changes

book

Article ID: 242096

calendar_today

Updated On:

Products

CA Single Sign-On

Issue/Introduction

While trying to import a new certificate to replace an expiring one, the UI reported this error message:

Error: System error trying to complete import : One or more exceptions trying to commit keystore changes. Please consult the logs.

 

Environment

Any Release : 12.8.x

Component : SITEMINDER -POLICY SERVER

Cause

UI log showed:

2022-05-19 16:14:57,171 [ERROR] com.ca.siteminder.rpc.rpc.ClientDispatcher [] - fault ServerException([sm-xpsxps-00540] : Previous error occurred on object "CA.CDS::[email protected]" : ) object.create 'Certificate'
2022-05-19 16:14:57,174 [ERROR] com.ca.fedpki.api.remote.FedPkiKeyStore [] - **ERROR** java.io.IOException commiting keystore change for alias XXXXXXXX.
java.io.IOException: Exception occurred while adding a certificate to the Certificate Data Store. Exception Message: Failed creating object of class Certificate. 
 at com.ca.siteminder.security.SMKeyDatabaseStore.store(Unknown Source) ~[fedsecurity.jar:?]
 at com.ca.fedpki.api.remote.FedPkiKeyStore.engineStore(Unknown Source) ~[fedremoteapi.jar:?]

CDS log showed:

[Apr 22 2022 18:07:42,998] CertificateDataStore [ERROR] CertificateDataStoreImpl.addPrivateKeyToDB(alias,privateKey,certificate):  An exception occurred while adding private key and certificate to the Certificate Data Store. Exception Message: Failed creating object of class Certificate.
com.ca.siteminder.sdk.adminapi.ServerException: object.create Certificate
 at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:1.8.0_212]
 at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:1.8.0_212]
 at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:1.8.0_212]

 

The certificate was successfully imported into an LDAP and ODBC Policy Store lab, implying the issue was not a product issue, but something either with DB or the configuration. No other Policy Store issues were observed, and deleting an existing certificate was successful. 

Inspecting system_odbc.ini showed the DSN configured as below:

[SiteMinder Data Source]
Driver=/apps/CA/siteminder/odbc/lib/NSora28.so
Description=DataDirect 8.0 Oracle Wire Protocol
HostName=XXX.XXX.XXX.XXX
PortNumber=1521
ServiceName=XXXXX
#SID=nete_serverid
CatalogOptions=0
ProcedureRetResults=0
EnableDescribeParam=0
EnableStaticCursorsForLongData=0
ApplicationUsingThreads=1
DMCleanup=2
EnableTimestampWithTimeZone=1

In the older builds of the NSora28 driver, the default value of EnableNCharSupport was 0. But in newer versions the default value is 1. In order to maintain the same behavior needed by SiteMinder, you need to explicitly configure your Policy Store DSN with EnableNCharSupport =0.

*Note checking the odbc trace log showed this driver was 08.02.2314.

 

Resolution

Verify the system_odbc.ini has the Policy Store DSN configured with EnableNCharSupport =0. The Policy Server will need to be restarted to pick up this change.

Example

[SiteMinder Data Source]
Driver=/apps/CA/siteminder/odbc/lib/NSora28.so
Description=DataDirect 8.0 Oracle Wire Protocol
HostName=XXX.XXX.XXX.XXX
PortNumber=1521
ServiceName=XXXXX
#SID=nete_serverid
CatalogOptions=0
ProcedureRetResults=0
EnableDescribeParam=0
EnableStaticCursorsForLongData=0
ApplicationUsingThreads=1
DMCleanup=2
EnableTimestampWithTimeZone=1
EnableNCharSupport=0